The banking sector has been a frequent target for hackers nowadays. As much as US$1 billion were stolen from banks and other financial companies worldwide in about two years, wherein it is considered as one of the biggest banking breaches known, by a multinational gang of cybercriminals dubbed as the “Carbanak gang” originating from Russia, Ukraine, and other parts of Europe as well as from China.

The gang targeted banks, electronic payment systems, and other financial institutions worldwide with the majority of the targets in Russia, USA, Germany, China and Ukraine. They already infiltrated more than 100 banks in 30 countries, stealing as much as $10 million in each raid.

Kaspersky Lab and authorities from different countries had combine efforts to uncover how the criminals act. On average, each bank cyber robbery took between two and four months from infecting the first computer at the bank’s corporate network to cashing the money out.

The cybercriminals used Carbanak malware to infect the bank’s network giving them access to the employees’ computers, and letting them see and record everything that happened on the screens of staff who service the cash transfer systems. This way the fraudsters got to know every last detail of the bankers work that show them how to mimic the staff to transfer the money and cash out.

Once the time came to exploit on their activities, the fraudsters used online banking or international e-payment systems to transfer money to their accounts. In the second case, the stolen money was transferred to banks in China and the US.

In other cases, cybercriminals penetrated right into the very center of the accounting systems, inflating account balances before getting the extra money through a counterfeit transaction. For instance, the account has $1,000 and the criminals can change its value to $10,000 and then transfer $9,000 to themselves. The account holder doesn’t suspect a problem because the original $1,000 dollars is still there.

In addition, the cybercriminals can also take control of banks’ ATMs and order them to dispense cash at a specific time. When the payment was due, one of the gang’s underlings was waiting next to the machine to collect the ‘voluntary’ payment.

Kaspersky did not identify the banks affected by the attacks because of a confidentiality agreement. They are still working with law-enforcement organizations to investigate the attacks.

Research says that the first malicious samples were compiled in August 2013 when the cybercriminals began to test the Carbanak malware and the first infections were detected in December 2013. The gang was believed to successfully steal from their first victims during the period of February to April 2014. The peak of infections was recorded in June 2014.

However the campaign is still currently active. Kaspersky urge all financial organizations to carefully scan the network for presence of Carbanak malware and if detected, report the intrusion to law enforcement.